NetApp Ransomware Resilience Volume Offline Playbook
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Content Index
This playbook takes a NetApp volume offline using the updated NetApp Ransomware Resilience take-volume-offline API endpoint and optionally polls for completion.
Logic App Connectors
This playbook uses 1 Logic App connector / built-in action:
| Connector / Action |
Type |
Connections |
Actions |
http |
Built-in |
0 |
3 |
Action parameters (URLs, paths, function IDs)
http (Built-in)
| Action |
Method |
Endpoint |
Other |
| Call_Auth_Playbook |
POST |
[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('NetAppRansomwareResilienceAuthPlaybookName'), 'manual'), '2019-05-01').value] |
— |
| Submit_Volume_Offline |
POST |
https://api.bluexp.netapp.com/v1/services/rps/v1/account/@{variables('AccountId')}/storage/take-volume-offline |
— |
| Call_Async_Poll_Playbook |
POST |
[listCallbackUrl(resourceId('Microsoft.Logic/workflows/triggers', parameters('NetAppRansomwareResilienceAsyncPollPlaybookName'), 'manual'), '2019-05-01').value] |
— |
Additional Documentation
📄 Source: NetApp-RansomwareResilience_Volume_Offline_Playbook/readme.md
NetApp-RansomwareResilience-Volume-Offline
Overview
This playbook takes NetApp volumes offline to immediately stop access and prevent further damage during a security incident. Taking a volume offline is a protective action that isolates compromised or at-risk storage.
Purpose
When you identify a volume that is compromised by ransomware or under active attack, taking it offline immediately stops all access, preventing the spread of malware and protecting other parts of your infrastructure.
Deployment Order
This playbook should be deployed SIXTH, after:
- ✅ Auth Playbook (required)
- ✅ Async Poll Playbook (required)
- ✅ Enrich IP Playbook (optional)
- ✅ Enrich StorageVM Playbook (optional)
- ✅ Volume Snapshot Playbook (optional, but strongly recommended)
What It Does
- Accepts volume ID, agent ID, and system ID as input
- Retrieves authentication from the Auth Playbook
- Initiates a volume offline operation via the NetApp API
- Uses the Async Poll Playbook to monitor operation completion
- Confirms when the volume is successfully taken offline
- Returns operation status
Prerequisites
Before deploying this playbook:
- Auth Playbook must be deployed and functioning correctly
- Async Poll Playbook must be deployed and functioning correctly
- Valid NetApp API credentials configured
How to Use
This playbook can be:
- Called manually when you need to isolate a compromised volume
- Triggered automatically by Microsoft Sentinel automation rules during high-severity incidents
- Used as the final step in incident response workflows
- Combined with snapshot playbooks for data protection before isolation
Input Required:
volume_id: The ID of the volume to take offlineagent_id: The NetApp agent identifiersystem_id: The NetApp system identifier
⚠️ Critical Considerations
Before taking a volume offline:
- Create a snapshot first using the Volume Snapshot Playbook—this ensures you have a recovery point
- Understand the business impact—offline volumes are completely inaccessible
- Verify you're targeting the correct volume
- Have a recovery plan in place
- Document the reason for taking the volume offline
Use Case Example
Ransomware Containment:
- Receive alert about active file encryption on a volume
- Use Enrich IP or Enrich StorageVM playbooks to confirm the affected volume
- Use Volume Snapshot playbook to create a clean recovery point
- Use this playbook to take the compromised volume offline
- Investigation and remediation can proceed safely
- Restore from snapshot when ready
Post-Deployment Configuration
After deploying this playbook:
- Test with a non-production volume using valid IDs
- Verify the volume is taken offline successfully
- Test bringing the volume back online to ensure recoverability
- Configure automation rules with appropriate severity thresholds
- Document your volume offline procedures and approval workflows
Building Custom Workflows
This playbook is typically the final protective action in an incident response workflow:
- Enrich IP → Identify volume → Take snapshot → Take volume offline
- Critical alert → Enrich StorageVM → Snapshot critical volumes → Offline compromised volume
Need Help?
If the volume offline operation isn't working, verify:
- The Auth Playbook is returning valid tokens
- The Async Poll Playbook is functioning correctly
- Volume ID, agent ID, and system ID are correct
- You have appropriate permissions to modify volume states
- The volume is currently online and accessible
Recovery
To bring a volume back online after remediation:
- Use NetApp management tools or APIs
- Verify the threat has been fully remediated before bringing volumes online
- Restore from snapshots if data was compromised
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
↑ Back to Playbooks · Back to NetApp Ransomware Resilience